Hi Stephan,
To be honest , i did Play around with capki a bit, and i am not 1000% sure if the trusted_cert_folder Parameter really works as expected. I tried a few settings but did not get this to work. I was thinking that i can make a private and public key for each component and then put the public keys into the trusted Folder, but did not get this to work.
As far as i understood, if you start to use CA PKI, all components that communicate with each other Need to trust each other. So e.g. if you want to link the Agent view in the AWI with the Service Managers and agents on the target System. You Need to
- correctly install CA PKI on each target Server, as well as on the central components (means run the command that is in the documentation). And have key's in place.
The only way i got this running was the following:
I copied the certificate files from the service manager on the automation engine (they got produced automatically when i installed the service manager). And i distributed these files to all servers where i have agents. Also i put these i think on engine server and awi server. In all Kind of ini-files you have this section:
[CAPKI]
certificate=C:\Automic\Automation.Platform\AutomationEngine\bin\ucsrv_certificate.pem
key=C:\Automic\Automation.Platform\AutomationEngine\bin\ucsrv_key.pem
And then in each ini-file i referred to these 2 certificates. Also in the ini-files of the core components
This was the only way how i was able to make it possible, to start and stop the agents from the AWI. And i think this is where your messages come from.
But to be hones - I'd find it be cool if someone from product management can give some examples how to set it up properly :)
Best Regards,
Roman Embacher
Original Message:
Sent: 10-15-2019 10:41 AM
From: Carsten Schmitz
Subject: Connection to AE system could not be established
Hi Stephan,
No, we have yet to delve into CAPKI. At this time we are NOT using it.
Br,
Carsten
Original Message:
Sent: 10-15-2019 10:27 AM
From: Stephan Schiller
Subject: Connection to AE system could not be established
Hi Carsten,
i think these messages are not connected to the login via awi. I think they´re logged, when an agent connects to the cp.
We are using CAPKI and my suggestion is, that it is in some way correlating with this.
Do you also use CAPKI?
Regards
Stephan
------------------------------
Debeka
Original Message:
Sent: 10-15-2019 10:14 AM
From: Carsten Schmitz
Subject: Connection to AE system could not be established
Hi Stephan.
You can possibly confirm if these messages directly relate to AWI login attempts by having an open terminal window with a "tail -F" on the CP logs, while you try the login. If you can indeed connect those two things, that might be helpful for further diagnosis.
However, I checked the CP logs of my engine and I don't have these messages at all, and I went back and checked old, archived 12.2 logs and didn't find that message in their either. I have no clue what this message means and why it happens when the connection fails. Therefore I suggest unless someone comes up with more insights in due time, to consider opening a support ticket with Broadcom about this.
Sorry to have no more helpful news.
Br,
Carsten
Original Message:
Sent: 10-15-2019 09:54 AM
From: Stephan Schiller
Subject: Connection to AE system could not be established
Hi Roman and Carsten,
first, thank you for your help. We tried your suggestions, but there seems to be no problem with the ulimit or the connections between the servers.
We figured out that in the cp-log a lot of "Search trusted certificates in folder '/xxx/xxx/trusted" messages are listed.
As long as the messages are logged, the login to the AWI doesn´ t work. As soon as they are no longer logged the login in AWI is possible.
It makes no difference if we restarte the AE or if a cp overtakes the task of an other cp.
Thereafter we checked the CAPKI settings in the ucsrv.ini, but the parameter "trusted_cert_folder=" is commented.
Can you explain us where these messages come from? Currently we have no idea
Regards
Stephan
------------------------------
Debeka
Original Message:
Sent: 10-15-2019 02:56 AM
From: Roman Embacher
Subject: Connection to AE system could not be established
Hi Stephan,
I would suggest you to:
1) Telnet all existing / running CP's and ports from the web Server (to make sure Network is open).
2) Check on Linux if there are any limitations on the engine Server (ulimit). If there is a lot of traffic, if Limitation is hit, that may cause Problems.
Does that issue only occur when all agents have to reconnect and the awi is starting, or is it a General issue?
Maybe try to give the AWI another initial CP connect port, but not sure if this will help. As far as i remember on initial connect to a cp, there will be a check which cp is least busy for taking the Connection.
Best Regards,
Roman Embacher
R.E. IT Services
Original Message:
Sent: 10-14-2019 11:52 AM
From: Stephan Schiller
Subject: Connection to AE system could not be established
Hello,
we are not able to connect to our AE system. The error message of the awi is as follows:
Connection to AE system could not be established.
<service-address>:2217 - TimeoutException
We have restarted our tomcat webserver and also the automation engines (cold and warm). But the connection to the cp cannot be established.
We´ve configured the awi on this tomcat webserver to another AE system (DEV) to try an other connection, and there a login is possible. So the awi and tomcat server shouldn´t be the problem.
The cp tries to connect to all installed agents (round about 2200). It takes a long time, that new connections are established.
In the log of the cp a lot of Socket call error are listed e.g. "U00003413 Socket call 'connect(xx.xx.xx.xx,8873)' returned error code '115'.
Has anyone an idea how to solve this issue?
Versions:
Automation Engine: 12.2.3+build.1558123282415
DB: Oracle 12.2.0.1.0 - 64bit
AWI: 12.2.3.GA01-dev-feature-12.2.3-GA01-89509
Kind regards
Stephan Schiller
------------------------------
Stephan Schiller
Debeka
------------------------------